James R. Mirick sets the record straight on things he cares about

Fear and Overreaction: the Continuing Legacies of Terrorist Attacks

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases. I’m not optimistic.

Look, here’s the crux of it. In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities. A trillion dollars. This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11. Of course, that’s awful, and a tragedy. But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that. We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event. Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people how many were killed in the 9/11 attacks. The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died. So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.” Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you. And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;

Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;

This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;

But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.

Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress. This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010). This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting. All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are. That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up. Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies. For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved. How our money moves, they could stop that. Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary. But believe me, as one whose whole career has been in software development and system implementation, just asserting something is possible a very long way from actually being able to do it. Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work. And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics? I think there are a couple of things at work here. First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing. They hear about the theft of corporate and governmental databases, which seem to continue unabated. They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;

In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;

The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;

After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them. This is going on right now, re: the Internet and foreign hackers, in spades. But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation. That is not a good sign.